Monday October 15, 2018

Websites such as Western Union, Tinder, Shopify, Yelp, Imgur, and more have been exposing their customers to XSS attacks due to a flaw in the Branch.io service used by major corporations around the world. "The Branch.io company provides the leading mobile linking platform, with solutions that unify user experience and measurement across different devices, platforms, and channels." The vpnMentor blog explains that the DOM-based XSS vulnerability would have worked on many different browsers and show how it could have been easily exploited. It is recommended that users change their passwords.

The fact that the vulnerability is DPM based and branch.io still isn't using CSP made these vulnerabilities easy to exploit in any browser we like. This meant that by modifying redirect strategy to a specially crafted payload to manipulate the DOM. go.tinder.com is an alias for custom.bnc.lt, a Branch.io resource. And many other companies have their alias pointing to it. Thanks to the fast response we got from Branch's security team, this vulnerability has now been fixed for everyone's domains.